Re: BIND-9.10.2-P4: Cannot use in-view to refer to RPZ zone definitions: "'$RPZ_ZONE' is not a master or slave zone"

Fri, 10 Nov 2023 11:10:11 -0800 

I know this is an incredibly old thread, but I was wondering if there has been 
any progress on this topic within the last 8 years. 

I am attempting to use views to offer different configurations of RPZ filtering 
to different subsets of the user population.  My original approach was having 
multiple named processes running on different ports, with PF redirecting port 
53 to the appropriate port based on the user's source IP. 

Some of my RPZ zones are quite large, and if the same zone records exist for 
multiple configurations, this means loading a lot of the same data into 
multiple processes, resulting in long startup times and very high memory 
utilization.  So I wanted to use views to reduce named to a single process, and 
define RPZ zones that can be shared among multiple views using the "in-view" 
config.

I'm using a config like the following:

view Child {
  match-clients { Child; };
  allow-recursion { any; };
  response-policy { zone "cf1"; zone "cf2"; };
  zone "cf1" {
      type master;
      file "cf1";
  };
  zone "cf2" {
      type master;
      file "cf2";
  };
};

view Teen {
  match-clients { Teen; };
  allow-recursion { any; };
  response-policy { zone "cf1"; };
  zone "cf1" {
    in-view Child;
  };
};

Since the rpz for cf1 is large, I want to only have to load/keep a single copy 
of it in memory and reference it from both the Child and Teen views.  However 
the above configuration gives me the error:
response-policy zone 'cf1' for view B is not a master or slave zone

If I add "type master;" to the cf1 zone in view B, I get
zone 'cf1': 'in-view' used with incompatible zone options

So it appears my goal is still not achievable, unless I'm missing something.  
Is there some other mechanism to achieve this end result (sharing zones between 
different user populations without loading multiple copies of the zone into 
memory)?

I am currently running BIND 9.16.44 by the way.

Thanks for any advice!
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to